Social Sharing

Computer systems at 3 key departments penetrated

An unprecedented cyberattack on the Canadian government also targeted Defence Research and Development Canada, making it the third key department compromised by hackers, CBC News has learned.

The attack, apparently from China, also gave foreign hackers access to highly classified federal information and also forced the Finance Department and Treasury Board — the federal government's two main economic nerve centres — off the internet.

Defence Research and Development Canada works to assist in the scientific and technological needs of the Canadian Forces. It is a civilian agency of the Department of National Defence.

The cyberattack, first detected in early January, left Canadian counter-espionage agents scrambling to determine how much sensitive government information may have been stolen and by whom.

Other hacking cases

February 2011: U.S. computer security firm McAfee reports hackers operating from China stole sensitive information from Western oil companies in the United States, Taiwan, Greece and Kazakhstan, beginning in November 2009.

March 2010: Citizen Lab and the SecDev Group discover computers at embassies and government departments in 103 countries, including the Dalai Lama's office and India, were compromised by an attack originating from servers in China. They dub the network involved "GhostNet."

January 2010: Google claims cyberattacks from China have hit it and at least 20 other companies. Google shuts down its China operations.

June 2009: A top-secret memo by the Canadian Security Intelligence Service warns that cyber attacks on government, university and industry computers have been growing "substantially."

February 2008: Quebec provincial police say they dismantled a computer hacking network that targeted unprotected computers around the world, including government computers.

Highly placed sources tell CBC News the cyberattacks were traced back to computer servers in China.

They caution, however, that there is no way of knowing whether the hackers are Chinese, or some other nationality routing their cybercrimes through China to cover their tracks.

So far, officials in Prime Minister Stephen Harper's government have been all but mum on the extraordinary breach of security.

The government initially issued a terse statement, passing it all off as merely an "attempt to access" federal networks. It has refused to release any further information.

Finance, Treasury Board

The hackers apparently managed to take control of computers in the offices of senior government executives as part of a scheme to steal the key passwords that unlock entire government data systems.

It is unclear whether the attackers were able to compromise other departmental computer networks, including those that contain Canadians' sensitive personal information such as tax and health records.

Michel Juneau-Katsuya, a security analyst and former CSIS intelligence officer, told CBC News on Thursday "all indications point at China" as the origin of the attempted cyber espionage.

He added that any such attack would have some connection to the government in China, which is also known for producing so-called "patriotic hackers" devoted to targeting institutions or governments perceived as threatening to the government at home.

Juneau-Katsuya said he believed Canada is seen by China as "a land of opportunity to get natural resources that they need so, so much."

The Chinese Foreign Ministry denied on Thursday that the Chinese government was responsible for the attack.

Once the attack was detected in early January, Canadian government cybersecurity officials immediately shut down all internet access at the Finance Department and the Treasury Board, in an attempt to stop stolen information from being sent back to the hackers over the net. In an earlier attack, Defence Research and Development had to shutdown access to one of its servers for two months.

The move left thousands of public servants without internet access, although officials in both affected departments report service has slowly been returning to normal since the attack.

While the government is trying to keep the embarrassing security breach under tight wraps, even from its own employees, a number of sources involved in the investigation agreed to speak to CBC News on condition of anonymity.

Canadian techno-gurus

This extraordinary tale of the Canadian government being targeted in cyber warfare actually began in 2009 with an international investigation by a group of Canadian techno-gurus whose findings shook the security world.

The group, called the Information Warfare Monitor, reported that an electronic spy network based mainly in China had hacked into almost 1,300 government computers in 103 countries.

They called the massive and now-infamous cyberspying operation GhostNet.

While many countries immediately moved to strengthen their defences against potential cyberattacks, it wasn't until the fall of 2010 that the Canadian government went on high-alert against potential electronic intruders.

Leading that task was the Communications Security Establishment Canada (CSEC), a little-known branch of National Defence, and the country's only electronic eavesdropping agency.

Sources say the agency went hunting for any signs the federal government networks might have been compromised.

Turns out they had.

At least two departments, Finance and Treasury Board, and the DND agency, had been compromised the same way the China-based hackers behind GhostNet had penetrated more than 100 other governments around the world.

How it was done

In the world of cybercops, it is called "executive spear-phishing."

Here's how it worked:

Sources say hackers using servers in China gained control of a number of Canadian government computers belonging to top federal officials.

The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.

At the same time, the hackers sent other staff seemingly innocuous memos as attachments.

The moment an attachment was opened by a recipient, a viral program was unleashed on the network.

The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.

One source involved in the investigation said spear-phishing is deadly in its simplicity: "There is nothing particularly innovative about it. It's just that it is dreadfully effective."

Effective indeed, especially against a government cybersecurity system that has long been described as a sieve.

Auditor-General Sheila Fraser, for one, first raised the alarm in 2002 when she warned "there are weaknesses in the system.

"There are access controls that need to be fixed; there are a whole series of minimum security issues that are not being dealt with. There are vulnerabilities. Government needs to fix them."

Three years later, Fraser checked again and found not much had changed.

"It is important that these things be dealt with and be fixed — the government is vulnerable to attacks."